<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">

<qhelp>

<overview>

<p>

Template injection occurs when user input is embedded in a template's code in an unsafe manner.

An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side.

This permits the attacker to run arbitrary code in the server's context.

</p>

</overview>

<recommendation>

<p>

To fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this,

use a sandboxed environment where access to unsafe attributes and methods is prohibited.

</p>

</recommendation>

<example>

<p>

In the example given below, an untrusted HTTP parameter <code>code</code> is used as a Velocity template string.

This can lead to remote code execution.

</p>

<sample src="SSTIBad.java" />

<p>

In the next example, the problem is avoided by using a fixed template string <code>s</code>.

Since the template's code is not attacker-controlled in this case, this solution prevents the execution of untrusted code.

</p>

<sample src="SSTIGood.java" />

</example>

<references>

<li>Portswigger: <a href="https://portswigger.net/web-security/server-side-template-injection">Server Side Template Injection</a>.</li>

</references>

</qhelp>